Digital signature system and method based on hard lattice problem

ABSTRACT

A sender computer maps a randomized concatenation of a message μ to a point “x” in space using a function that renders it infeasible that a second message can be mapped nearby the message μ. The function can be a collision intractable or non-collision intractable function that maps the message to a point “x” on a widely-spaced grid, or the function can map the message to a point “x” of an auxiliary lattice. In either case, the sender computer, using a short basis (essentially, the private key) of a key lattice   finds a lattice point “y” that is nearby the message point “x”, and then at least the points “x”, “y”, and message are sent to a receiver computer. To verity the signature, the receiver computer simply verifies that “y” is part of the lattice using a long basis (essentially, the public key), and that the distance between “x” and “y” is less than a predetermined distance, without being able or having to know how the lattice point “y” was obtained by the sender computer.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates generally to systems and methods forproducing digital signatures based on the hardness of solving aworst-case lattice problem

2. Description of the Related Art

Digital signatures are used for many applications, including verifyingthe identity of the sender of a message. Most digital signature schemesrely on the difficulty of factoring a large number obtained as a productof two large prime numbers, or on computing discrete logarithms.

Goldreich et al. proposed using lattice reduction problems as a basisfor producing digital signatures in Advances in Cryptography—CRYPTO,Springer LNCS, 1294:112-131 (1997). A lattice is a collection of pointsin n-dimensional space which satisfy certain properties, including (1)zero is in the set; (2) if a, b are in the set, then a+b, a−b are alsoin the set; (3) the lattice is generated by at least one finite basis,i.e., there exists a finite set (called a “basis”) such that every pointin the lattice is expressible as an integer linear combination of theelements in the basis. The “length” of a basis is the length of thelongest vector in the basis. It happens that a lattice typically can bedefined using one of many bases, with the shortest basis being hard tofind when the number “n” of dimensions becomes large.

Accordingly, the present invention recognizes that in a lattice-baseddigital signature scheme, an n-dimensional lattice can be generated thathas a hard-to-find short basis, which is used as a sender's private keyto sign a message by mapping the message to a point in the n-dimensionalspace. A recipient of the message can access a public key—the latticewith a relatively long basis—to verify the sender's identity byverifying the location of the message in the n-dimensional space.Unfortunately, the scheme disclosed by Goldreich et al., as admitted byGoldreich et al., might result in mapping two messages close together inthe n-dimensional space, which would defeat the scheme as to those twomessages because both messages would have the same digital signature.

In the present assignee's U.S. Pat. No. 5,737,425 to Ajtai, incorporatedherein by reference, an interactive message authentication system isdisclosed which uses lattices. Although directed primarily to messageauthentication, the '425 patent discloses a method for deriving alattice with a short basis. As recognized by the present invention,however, a digital signature system, unlike a message authenticationsystem, must provide irrefutability of a signature, such that arecipient of a message can show a message to a third party to prove theidentity of the signer of the message, a feature not generally requiredin message authentication systems. The requirement of irrefutability isparticularly important in e-commerce applications. Moreover, theinvention disclosed in Ajtai is interactive, which in the context ofdigital signatures could render it susceptible to so-called “intruder inthe middle” attacks. With the above recognitions in mind, the presentinvention has provided the inventive solutions disclosed below.

SUMMARY OF THE INVENTION

A computer-implemented method is disclosed for digitally signing data.The method includes generating a lattice

having at least one short basis establishing a private key and at leastone long basis establishing a public key. Further, the method includesmapping at least the message μ or a concatenation thereof to a messagepoint “x” in n-dimensional space using a function “f”. The function “f”is selected such that the possibility of mapping two messages closetogether in the space is infeasible. Using the short basis, a latticepoint “y” of the lattice

is found that is close to the message point “x”.

In a preferred embodiment, at least the message point “x” and thelattice point “y” are returned as a digital signature. If desired, thefunction “f” can be randomized by concatenating the message μ with arandom number ρ. Both the message μ and random number ρ are binarystrings.

In one embodiment, the function “f” maps the message μ to a point on agrid. In this embodiment, the function “f” can be collision intractable,the collision intractability of which is derived from the hardness oflattice problems. In another embodiment, the function “f” is collisionintractable. In still another embodiment, the function “f” maps at leastthe message to a point on an auxiliary lattice.

The present method can also include verifying a digital signature at areceiver computer at least in part by determining whether a differencebetween the lattice point “y” and the message point “x” is no more thana predetermined distance. The predetermined distance can be related tothe number of dimensions in the lattice

.

In another aspect, a computer program storage device includes a programof instructions for generating a digital signature for a message. Theprogram of instructions in turn includes computer readable code meansfor mapping a message μ or a concatenation with a random string ρ to amessage point “x” in n-dimensional space, with the message point “x”being a point of a grid or a point of an auxiliary lattice. Also,computer readable code means find a point “y” of a key lattice

that is nearby the message point “x”, and computer readable code meansestablish a digital signature, based at least on the points “x” and “y”.

In still another aspect, a computer system for generating a digitalsignature of a message μ includes at least one sender computer. Thesender computer includes logic for executing method steps that includemapping the message μ to a message point “x” at which it is not feasibleto map any other message. Moreover, the logic of the sender computerfinds a lattice point “y” that is relatively close to the message point“x”, and then the logic transmits at least the message μ and the points“x” and “y”. Further, the system includes at least one receiver computerthat receives the message μ and points “x” and “y” and that executeslogic including determining whether a distance between the points “x”and “y” is related in a predetermined way to a predetermined distance.Based thereon, it is determined whether the message μ has been properlysigned.

In yet another aspect, a computer-implemented method for digitallysigning data includes generating a lattice

having at least one short basis and at least one long basis. The methodalso includes mapping at least the message μ or a concatenation thereofto a message point “x” in n-dimensional space. The message point “x” isan element of a set of spaced-apart points. Using the short basis, alattice point “y” of the lattice

is found that is close to the message point “x”.

BRIEF DESCRIPTION OF THE DRAWINGS

The details of the present invention, both as to its structure andoperation, can best be understood in reference to the accompanyingdrawings, in which like reference numerals refer to like parts, and inwhich:

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of the present system;

FIG. 2 is a flow chart of the logic used during generation of alattice-based digital signature; and

FIG. 3 is a flow chart of the logic for verifying the digital signature.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Referring initially to FIG. 1, a preferably non-interactive system forgenerating digital signatures based on lattice problems is shown,generally designated 10. Because the preferred system 10 isnon-interactive, it is immune from so-called “intruder in the middle”attacks. In the particular architecture shown, the system 10 includes asender computer 12 that executes a software-implemented digitalsignature module 14 in accordance with the logic below to digitally signmessages. As shown in FIG. 1, the sender computer 12 can send a messageμ, a message point “x”, a lattice point “y”, and, if desired, a randomlygenerated number ρ in accordance with the disclosure below to a receivercomputer 16. In turn, the receiver computer 16 executes a receivermodule 18 to verify the signature.

It is to be understood that the logic disclosed herein may be executedby a processor as a series of computer-executable instructions. Theinstructions may be contained on a data storage device with a computerreadable medium, such as a computer diskette. Or, the instructions maybe stored on a DASD array, magnetic tape, conventional hard disk drive,electronic read-only memory, optical storage device, or otherappropriate data storage device. In an illustrative embodiment of theinvention, the computer-executable instructions may be lines of compiledC⁺⁺ compatible code.

In any case, the flow charts herein illustrate the structure of themodules of the present invention as embodied in computer programsoftware. Those skilled in the art will appreciate that the flow chartsillustrate the structures of computer program code elements includinglogic circuits on an integrated circuit, that function according to thisinvention. Manifestly, the invention is practiced in its essentialembodiment by a machine component that renders the program code elementsin a form that instructs a digital processing apparatus (that is, acomputer) to perform a sequence of function steps corresponding to thoseshown.

FIG. 2 shows the logic of the digital signature module 14. The followingnotation is used for the below discussion. The notation that x ε_(R) Xmeans that the number “x” is chosen uniformly randomly from the set X.For a binary string x, the symbol |x| denotes its length. For binarystrings x, y, the symbol x ◯ y denotes their concatenation. Alldistances and norms are assumed to be Euclidean. For all integers a,b>0, the notation Z^(a) _(c) is the set of all a-tuples of integers inthe set {0, 1, . . . , c−1}. Similarly, Z^(axb) _(c) is the set of allmatrices of “a” rows and “b” columns whose elements are integers in theset {0, 1, . . . , c−1}. For a set b₁, . . . b_(n) of vectors,

denotes the lattice of all integer linear combinations of b₁, . . .b_(n), with the vectors establishing a “basis” of the lattice

. The length of a basis is the Euclidean norm of the length of thelongest vector in the basis. Finally, the symbol [x] denotes the integerportion of a number x.

With the above discussion in mind, commencing at block 20 in FIG. 2, alattice

is generated that has a short basis and at least one long basis. Thelattice

preferably is generated using the principles set forth in the presentassignee's U.S. Pat. No. 5,737,425 to Ajtai. It is to be understood thatthe short basis of the lattice

is generated along with the lattice, but that once the lattice is known,it is a difficult if not impossible problem to reverse engineer theshort basis. The long basis of the lattice, accordingly, is published asthe public key at block 22 and the short basis is maintained in secrecyas the private key of the present digital signature scheme.

In any case, in the preferred method for generating the lattice

set forth in the above-referenced patent, a variable “r” is selectedthat is sufficiently large such that the worst-case problems discussedin Ajtai, “Generating Hard Instances of Lattice Problems”, Proc. 28^(th)ACM Symposium on Theory of Computing, pages 99-108 (1996) andincorporated herein by reference, are hard. Moreover, variables c_(L1)and c_(L2) are selected such that it is infeasible to find vectors oflength r³ in n-dimensional lattices constructed in accordance with theabove-referenced patent. Preferably, c_(L2)≧9 and c_(L1)>c_(L2).

Letting n=c_(L1)r(log r), finding vectors of length r³ is infeasible inthe n-dimensional lattice

that is created at block 20, assuming that certain worst-case latticeproblems are hard in lattices of dimension n. Further, let q_(L) be theleast odd integer satisfying q_(L)≧[r^(cL2)], let K=r³, and letM=(nq_(L))^(½). The preferred key lattice

is a random lattice in Γ′(n,M) as defined in the above-referencedpatent, where an efficient construction of the lattice is also describedthat has a short basis generated along with it having a length of atmost K/3n. In contrast, the public (long) basis preferably is at most oflength M.

When the sender computer 12 desires to send a message μ, it enters a DOloop at block 24. Moving to block 26, the logic can, if desired,concatenate the message μ with a random string ρ. Then, proceeding toblock 28, the message μ (or, more preferably, the concatenation μ◯ρ) ismapped to a message point “x” in n-dimensional space using a function“f” that is chosen such that it is infeasible that two messages would bemapped close to each other in space. “Close” is defined further below inthe context of the two grid-based mapping methods and one auxiliarylattice-based mapping method.

More specifically, for the grid-based methods, assume that A is ann-dimensional grid of size “d”, where the preferred d=r⁴. Also, let

=n³q_(L), and let the above-mentioned function “f” be established by amapping hash function H: {0,1}^(n)→{0,1}

. Further assume that the magnitude of the message is one-half n, i.e.,that |μ|=n/2. First, ρ is selected from the set {0,1}^(n/2), and thenthe message point “x” is determined as an n-tuple of integers multipliedby “d” as follows: x=H(μ◯ρ)d. If the message point “x” as computedhappens to be a point on the key lattice

, the process above repeats with anew random string ρ.

In a first implementation of the grid-based method, the mapping functionH is any hash function that satisfies the so-called Magic Hash Functioncondition that there exists an efficiently and publicly computablefunction that behaves like a random oracle. Some combination of hashfunctions such as Message Digest 5 (MD-5), “Sha”, and “Snefru” areassumed to approximate the Magic Hash Function. Such a function is notcollision-intractable.

In a second implementation of the grid-based method, the mappingfunction H is a collision-intractable function, preferably alattice-based hash function, wherein c_(L1) and c_(L2) have the propertythat it is infeasible to find vectors of length r³ in the latticedescribed in the above-referenced Ajtai publication. In thisimplementation, assume that q_(H) is the least odd integer satisfyingq_(H)≧[r^(cL2+4)]. The output of the hash function is n-tuples ofintegers in the set {0,1, . . . , q_(H−1)}. Further assume thatc_(H2)=c_(L2)+4, and c_(H1)=c_(L1), so thatn=c_(H1)rlog(r)=c_(L1)rlog(r).

With the above definitions in mind, in the grid-based collisionintractable embodiment, the mapping function H ε_(R) Z^(rxn) _(qH), anda variable m is a vector in Z^(n) ₂ that is an element of {0,1}^(n).With this notation, H(m)=Hm mod q_(H) ε Z^(r) _(qH), the output of whichfunction is an r-tuple of integers in Z_(qH). This output is interpretedas n integers of equal length, i.e., as a point in Z^(n). As understoodherein, it is computationally infeasible to find vectors of length “n”in the n-dimensional lattice of vectors=x ε{0,1}^(n) such that Hx=0 modq_(H). In other words, finding vectors of length r³>n in the lattice ofvectors defined by x ε{0,1}^(n) is computationally infeasible. Moreover,it is to be appreciated that the collision intractability of thefunction “f” as implemented in the last of the above-disclosedgrid-based mapping methods, and in the below-disclosed auxiliary latticemapping method, is derived from the hardness of lattice problems.

As mentioned above, instead of using either of the two grid-basedmethods set forth above, a mapping using an auxiliary lattice can beundertaken at block 28. In this embodiment, assume that “A” is ann-dimensional auxiliary lattice chosen according to the samedistribution as the key lattice

is chosen. Accordingly, c_(A1)=c_(L1) and n=c_(A1)rlog(r), q_(A)=q_(H),and it is easy to find a basis for the auxiliary lattice A of lengthM=(nq_(A))^(½). Let P be a public matrix whose columns are theabove-disclosed long basis vectors for the auxiliary lattice A.

With the above definitions in mind, the message μ is concatenated, ifdesired, with the random string ρ as before at block 26, but then atblock 28 the message point “x” is determined by multiplying theconcatenation by the public matrix P. If the message point x is found tobe an element of the key lattice

, another random string ρ is selected and the process repeats.

In any case, it is to be appreciated that in the grid-based orlattice-based mapping schemes disclosed above, the message μ is mappedto a message point “x” that is a point on a grid or a lattice. In otherwords, in contrast to previous lattice mapping schemes the message point“x” must be an element of a set of points that are spaced apart fromeach other in n-dimensional space, such that no two points in the setare close together. This makes it infeasible that any two messages willbe mapped to locations that are sufficiently close together so as tomake a single signature apply to both.

Once the message has been mapped to the message point, the logic movesfrom block 28 to block 30, wherein a closest point “y” of the keylattice

to the message point “x” is determined, using the (private) short basisof the key lattice

. Specifically, using the short basis, a point y ε

is obtained such that ||x−y||≦nK/(3n) (which, it will be recalled,=r³/3) by writing x as a linear (possibly non-integral) combination ofvectors in the short basis, each of which has a length of a most K/(3n),and then rounding the coefficients to get y ε

. Then, at block 32, the message μ, random string ρ (if used), messagepoint “x”, and closest lattice point “y” are output for transmission ofthe message with lattice-based digital signature to the receivercomputer 16.

FIG. 3 shows that logic by which the receiver module 18 of the receivercomputer 16 verifies the signature output at block 32. Commencing atblock 34, the message μ, random string ρ (if used), message point “x”,and closest lattice point “y” are received. Moving to block 36, it isverified, using the long basis, that the lattice point “y” is indeed apoint on the key lattice

. If desired, it can be further verified that μ◯ρεZ^(n) ₂. When agrid-based mapping method is employed, it can be further verified thatx=H(μ◯ρ)d, whereas when an auxiliary lattice mapping method is used itcan be verified that x=P(μ◯ρ).

Moreover, using the long basis the receiver computer 16 moves to block38 to verify that the message point “x” is indeed close to the latticepoint “y”. In a particularly preferred embodiment, this is done byverifying that ||x−y||≦r³/3. More generally, at block 38 it isdetermined whether a difference between the lattice point “y” and themessage point “x” is no more than a predetermined distance. If any testfails, it can be determined that the message μ has not been properlysigned.

While the particular DIGITAL SIGNATURE SYSTEM AND METHOD BASED ON HARDLATTICE PROBLEM as herein shown and described in detail is fully capableof attaining the above-described objects of the invention, it is to beunderstood that it is the presently preferred embodiment of the presentinvention and is thus representative of the subject matter which isbroadly contemplated by the present invention, that the scope of thepresent invention fully encompasses other embodiments which may becomeobvious to those skilled in the art, and that the scope of the presentinvention is accordingly to be limited by nothing other than theappended claims, in which reference to an element in the singular is notintended to mean “one and only one” unless explicitly so stated, butrather “one or more”. All structural and functional equivalents to theelements of the above-described preferred embodiment that are known orlater come to be known to those of ordinary skill in the art areexpressly incorporated herein by reference and are intended to beencompassed by the present claims. Moreover, it is not necessary for adevice or method to address each and every problem sought to be solvedby the present invention, for it to be encompassed by the presentclaims. Furthermore, no element, component, or method step in thepresent disclosure is intended to be dedicated to the public regardlessof whether the element, component, or method step is explicitly recitedin the claims. No claim element herein is to be construed under theprovisions of 35 U.S.C. §112, sixth paragraph, unless the element isexpressly recited using the phrase “means for”.

1. A computer-implemented method for digitally signing data, comprising: generating a lattice

having at least one short basis establishing a private key and at least one long basis establishing a public key; mapping at least the message μ or a concatenation thereof to a message point “x” in n-dimensional space using a function “f” rendering infeasible the possibility of mapping two messages together in the space; and using the short basis, finding a lattice point “y” of the lattice

that is close to the message point “x” and using at least the message point “x” and lattice point “y”, digitally signing an entity, wherein the function “f” maps the message μ to a point on a grid and is collision intractable.
 2. The method of claim 1, further comprising randomizing the function “f”.
 3. The method of claim 2, wherein the function “f” is randomized by concatenating the message μ with a random number ρ.
 4. The method of claim 1, wherein the collision intractability of the function “f” is derived from the hardness of lattice problems.
 5. The method of claim 1, wherein the function “f” maps at least the message to a point on an auxiliary lattice.
 6. The method of claim 1, further comprising verifying a digital signature at least in part by determining whether a difference between the lattice point “y” and the message point “x” is no more than a predetermined distance.
 7. The method of claim 6, wherein the predetermined distance is related to the number of dimensions in the lattice

.
 8. A computer program storage device including a program of instructions for generating a digital signature for a message, the program of instructions including: computer readable code means for mapping a message μ or a concatenation thereof to a message point “x” in n-dimensional space, the message point “x” being a point of a grid or a point of an auxiliary lattice; computer readable code means for finding a point “y” of a key lattice

that is not the same as the auxiliary lattice; and computer readable code means for establishing a digital signature, based at least on the points “x” and “y”.
 9. The computer program storage device of claim 8, wherein the means for mapping uses a function “f” rendering infeasible the possibility of mapping two messages close together in the space, and wherein the means for finding includes using a hard to find short basis of the key lattice

.
 10. The computer program storage device of claim 9, further comprising means for randomizing the function “f”.
 11. The computer program storage device of claim 10, wherein the function “f” is randomized by concatenating the message μ with a random number ρ.
 12. The computer program storage device of claim 9, wherein the function “f” maps at least the message to a point on an auxiliary lattice.
 13. The computer program storage device of claim 8, wherein the function “f” maps the message μ to a point on a grid, and wherein the function “f” is collision intractable, the collision intractability being derived from the hardness of lattice problems.
 14. The computer program storage device of claim 8, wherein the function “f” is not collision intractable.
 15. A computer system for generating a digital signature of a message μ, comprising: at least one sender computer including logic for executing method steps including: mapping the message μ to a message point “x” at which it is not feasible to map any other message; finding a lattice point “y”; and transmitting at least the message μ and the points “x” and “y”; at least one receiver computer receiving the message μ and points “x” and “y” and including logic for executing method steps including: determining whether a distance between the points “x” and “y” is related in a predetermined way to a predetermined distance, and based thereon determining whether the message μ has been properly signed.
 16. The system of claim 15, wherein the mapping act is undertaken using a function “f” that maps the message point “x” to a point of a grid or of an auxiliary lattice, and further wherein the lattice point “y” is a member of a lattice

, and the finding act is undertaken using a hard-to-find short basis of the lattice

.
 17. The system of claim 16, wherein the acts undertaken by the logic of the sender computer further comprise randomizing the function “f” by concatenating the message μ with a random number ρ.
 18. The system of claim 16, wherein the function “f” is collision intractable.
 19. The system of claim 18, wherein the collision intractability of the function “f” is derived from the hardness of lattice problems.
 20. The system of claim 16, wherein the function “f” is not collision intractable.
 21. The system of claim 16, wherein the predetermined distance is related to the number “r” of dimensions in the lattice

.
 22. A computer-implemented method for digitally signing data, comprising: generating a lattice

having at least one short basis and at least one long basis; mapping at least the message μ or a concatenation thereof to a message point “x” in n-dimensional space, the message point “x” being an element of a set of spaced-apart points not on the lattice; and using the short basis, finding a lattice point “y” of the lattice

; and using at least the message point “x” and lattice point “y”, digitally signing an entity, wherein the mapping is undertaken using a function “f” that is not collision intractable.
 23. The method of claim 22, further comprising randomizing the function “f” by concatenating the message μ with a random number ρ.
 24. The method of claim 22, wherein the function “f” maps the message μ to a point on a grid.
 25. The method of claim 22, wherein the function “f” maps at least the message to a point on an auxiliary lattice.
 26. The method of claim 22, further comprising verifying a digital signature at least in part by determining whether a difference between the lattice point “y” and the message point “x” is no more than a predetermined distance.
 27. The method of claim 26, wherein the predetermined distance is related to the number of dimensions in the lattice

. 